From owner-freebsd-security Sat Aug 28 9:45:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 74D431530C for ; Sat, 28 Aug 1999 09:44:56 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id MAA24458 for ; Sat, 28 Aug 1999 12:44:30 -0400 (EDT) Message-Id: <4.1.19990828125707.04dcbac0@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sat, 28 Aug 1999 12:57:34 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Fwd: WU-FTPD Security Update Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just in case this went missed by those not on bugtraq ---Mike >Return-Path: owner-bugtraq@SECURITYFOCUS.COM >Received: from lists.securityfocus.com (lists.securityfocus.com >[216.102.46.4]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id GAA15301 >for ; Sat, 28 Aug 1999 06:31:37 -0400 (EDT) >Received: (qmail 16602 invoked from network); 28 Aug 1999 04:18:12 -0000 >Received: from lists.securityfocus.com (216.102.46.4) > by lists.securityfocus.com with SMTP; 28 Aug 1999 04:18:12 -0000 >Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM > (LISTSERV-TCP/IP release 1.8d) with spool id 932192 for > BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 27 Aug 1999 21:14:40 -0700 >Approved-By: aleph1@SECURITYFOCUS.COM >Received: from securityfocus.com (216.102.46.2) by lists.securityfocus.com with > SMTP; 26 Aug 1999 17:56:16 -0000 >Received: (qmail 10732 invoked by alias); 26 Aug 1999 17:56:16 -0000 >Delivered-To: BUGTRAQ@SECURITYFOCUS.COM >Received: (qmail 10728 invoked from network); 26 Aug 1999 17:56:15 -0000 >Received: from pop02.iname.net (HELO pop02.prod) (165.251.20.34) by > securityfocus.com with SMTP; 26 Aug 1999 17:56:15 -0000 >Received: from yua (cieem35.cieem.rpi.edu [128.113.60.128]) by pop02.prod > (8.9.1/8.8.0) with SMTP id NAA15291 for ; > Thu, 26 Aug 1999 13:53:44 -0400 (EDT) >MIME-Version: 1.0 >Content-Type: text/plain; charset="Windows-1252" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Mutt 0.95.6i >X-From_: owner-wuftpd-members@wu-ftpd.org Thu Aug 26 12:07:11 1999 >Importance: Normal >X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 >Message-ID: >Date: Thu, 26 Aug 1999 13:43:07 -0400 >Reply-To: WU-FTPD Development Group >Sender: Bugtraq List >From: Alex Yu >Subject: WU-FTPD Security Update >X-To: BUGTRAQ@SECURITYFOCUS.COM >To: BUGTRAQ@SECURITYFOCUS.COM >X-UIDL: 23cfe0ddeeacd4b120756724b083f31f > >-----BEGIN PGP SIGNED MESSAGE----- > > WU-FTPD Security Update > >The WU-FTPD Development Group has been informed there is a vulnerability in >some versions of wu-ftpd. > >This vulnerability may allow local & remote users to gain root privileges. > >Exploit information involving this vulnerability has been made publicly >available. > >The WU-FTPD Development Group recommends sites take the steps outlined >below as soon as possible. > >1. Description > > Due to insufficient bounds checking on directory name lengths which can > be supplied by users, it is possible to overwrite the static memory > space of the wu-ftpd daemon while it is executing under certain > configurations. By having the ability to create directories and > supplying carefully designed directory names to the wu-ftpd, users may > gain privileged access. > >2. Impact > > This vulnerability may allow local & remote users to gain root > privileges. > >3. Workarounds/Solution > > Sites may prevent the exploitation of the vulnerability in wu-ftpd by > immediately upgrading and applying available patches. > >3.1 Affected versions > > Versions known to be effected are: > > wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 > wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 > wu-ftpd-2.5.0 > > BeroFTPD, all present versions > > Other derivatives of wu-ftpd may be effected. See the workarrounds > (section 3.3) to determine if a derivative is vulnerable. > > Versions know to be not effected are: > > NcFTPd, all versions. > wu-ftpd-2.4.2 (final, from Academ) > All Washington University versions. > > (Please note: ALL versions of WU-FTPD prior to > wu-ftpd-2.4.2-beta-18-vr10 including all WU versions, and all > Academ 2.4.1 and 2.4.2 betas, are vulnerable to a remote user > root-leveraging attack. See CERT Advisory CA-99-03 'FTP Buffer > Overflows' at > http://www.cert.org/advisories/CA-99-03-FTP-Buffer-Overflows.html > and section 3.2) > >3.2 Upgrade to latest wu-ftpd and apply patch > > The latest version of wu-ftpd from the WU-FTPD Development Group is > 2.5.0; sites running earlier versions should upgrade to this version as > soon as possible. > > The WU-FTPD Development Group has a patch available which corrects this > vulnerabililty. The patch is available directly from the WU-FTPD > Development Group's primary distribution site, and will be propogating > to its mirrors shortly. > > Several other patches to version 2.5.0 are also available. The WU-FTPD > Development Group recommends all available patches be applied. > > Patches for version 2.5.0 are available at the primary distribution > site: > > ftp://ftp.wu-ftpd.org/pub/wu-ftpd/quickfixes/apply_to_2.5.0/ > > The following patches are available: > > CRITICAL-SECURITY.PATCH > > Alternate name for mapped.path.overrun.patch. > > mapped.path.overrun.patch > > Corrects a problem in the implementation of the MAPPING_CHDIR > feature which could be used to gain root privileges. All sites > should apply this patch as soon as possible. > > not.in.class.patch > > Corrects a problem where anonymous users not in any class could > gain anonymous access to the server under certain conditions. > All sites should apply this patch. > > glibc.wtmp.patch > > Corrects a problem with Linux systems where logout from wu-ftpd > was not properly recorded in the wtmp file. Sites running > wu-ftpd on Linux should apply this patch. > > rfc931.timeout.patch > > Corrects some problems with the RFC931 implementation when the > remote site does not respond. Under some conditions, wu-ftpd > would hang, failing to properly time out. Sites experiencing > unexplained hanging wu-ftpd processes should apply this patch. > > data-limit.patch > > Corrects a documentation error. Released as a patch due to the > number of questions the error caused. This patch may be safely > omitted on all sites. > > deny.not.nameserved.patch > > Corrects a problem in the implementation of '!nameserved' when > attempting to deny access to remote users whose hosts do not > have proper DNS. All sites should apply this patch. > > Special note for BeroFTPD: > > BeroFTPD users should be able to apply the mapped.path.overrun.patch to > their version of wu-ftpd. (This has been tested by the WU-FTPD > Development Group on BeroFTPD 1.3.4; it applied cleanly, with some > drift in line numbers.) The other patches are for version 2.5.0 of > wu-ftpd only and should not be applied to BeroFTPD. > >3.3 Apply work-around patch and recompile existing source. > > The feature causing this problem can be disabled at compile time in all > effected versions of the daemon: > > o Locate the following text in config.h: > > /* > * MAPPING_CHDIR > * Keep track of the path the user has chdir'd into and respond with > * that to pwd commands. This is to avoid having the absolue disk > * path returned. This helps avoid returning dirs like '.1/fred' > * when lots of disks make up the ftp area. > */ > > o If this text is not present, your version of the daemon is NOT > vulnerable. > > o Change the following line from: > > #define MAPPING_CHDIR > > to > > #undef MAPPING_CHDIR > > o Rebuild and install the new ftpd executable. > >- -- > >Gregory A Lundberg WU-FTPD Development Group >1441 Elmdale Drive lundberg@wu-ftpd.org >Kettering, OH 45409-1615 USA 1-800-809-2195 > >-----BEGIN PGP SIGNATURE----- >Version: PGP 6.5 > >iQCVAwUBN8VXQg7NCCRiiFh1AQFMDQP+PM9pWpqGo9xEcn1XdEgfmr1mcqZ2y9gY >geyRyPtv8xsLqbAMcQQ/KsDO3aP4sdT3yMA0EHZKohiAG3Sx38bGBe9geaOdbUxe >jSGzc6yDIxLwegJuWK35V7C8L9BbvFCbednvmXoToshuagcGFY8ZIP2ZyDuwz4EM >VxD1ILqHUww= >=r1tK >-----END PGP SIGNATURE----- ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message